Re: [OPSEC] draft-ietf-opsec-v6

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Mon, 08 April 2019 09:22 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5357012029F for <opsec@ietfa.amsl.com>; Mon, 8 Apr 2019 02:22:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=QCNOimN5; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=C+iCHLkR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TxmPTtuBjS1J for <opsec@ietfa.amsl.com>; Mon, 8 Apr 2019 02:22:28 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E48E12006D for <opsec@ietf.org>; Mon, 8 Apr 2019 02:22:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12654; q=dns/txt; s=iport; t=1554715348; x=1555924948; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=T0FFBbMUVVOwDqDuv1S67fx30+kJqbkL1I5B7DVVxIs=; b=QCNOimN5oLx6XB6EY/RuKZDS4xxfWw0HletwNraHqp+mMqEEsvpi15Ov bjcC9IUeU60lXsiN+ntccTEBNelgncgVKCg+uj4xiRCpfG66Qz1yH0/ZS kU9Gx4zd5J6OCE5fDMix9UoXH3pY2mcal+BdefVXUnIXLzVse2v7sywE+ E=;
IronPort-PHdr: =?us-ascii?q?9a23=3AyvHllhJrnfEFbtkNStmcpTVXNCE6p7X5OBIU4Z?= =?us-ascii?q?M7irVIN76u5InmIFeBvad2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUg?= =?us-ascii?q?Mdz8AfngguGsmAXEDlPfjhbCESF8VZX1gj9Ha+YgBY?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ATAACKEqtc/5ldJa1lGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBUgQBAQEBCwGBPVADaFQgBAsnhA6DRwOPJoIygSOWGoEuFIE?= =?us-ascii?q?QA1QOAQEYCwmEQAIXhUgiNQgNAQEDAQEJAQMCbRwMhUsCAQMBASEEDQwBASU?= =?us-ascii?q?HCwEPAgEIGgImAgICJQsVEAIEAQ0FgyIBgV0DFQECDKIXAooUcXwzgTmBQAE?= =?us-ascii?q?BBYR4GIIMCIELJQGKJ4EfF4FAPyZqAScME4IXNT6CYQEBAoEjU4JzMYImijs?= =?us-ascii?q?BBwFKggiYEWIJAokoiC6CKxqCBYYWjEGLU5BRgy0CBAIEBQIOAQEFgVECNIF?= =?us-ascii?q?WcBUaISoBgkEJggGDb4UUhT9yAQGBJo86CwEB?=
X-IronPort-AV: E=Sophos;i="5.60,324,1549929600"; d="scan'208";a="255848232"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Apr 2019 09:22:27 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x389MRvk001834 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 8 Apr 2019 09:22:27 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 8 Apr 2019 04:22:26 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 8 Apr 2019 05:22:25 -0400
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 8 Apr 2019 05:22:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=T0FFBbMUVVOwDqDuv1S67fx30+kJqbkL1I5B7DVVxIs=; b=C+iCHLkRhQXdG02Cf/xSGo0w9nyBoWVjJn5teaA9CtfPjkq6TEGnEuHCSG1ncoH7o0ATWMU+1IxLAq98sbE5udLYWQaRrZo6Zb3hsWF9diCDg9s8bCV2zrYK2s8UtfOcrWnMbUDRla9N7By24tduZ0zHZmiz5MPgiw5bboBOXWc=
Received: from MN2PR11MB4144.namprd11.prod.outlook.com (20.179.150.210) by MN2PR11MB4047.namprd11.prod.outlook.com (20.179.149.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.16; Mon, 8 Apr 2019 09:22:23 +0000
Received: from MN2PR11MB4144.namprd11.prod.outlook.com ([fe80::9158:74ee:b94a:d51f]) by MN2PR11MB4144.namprd11.prod.outlook.com ([fe80::9158:74ee:b94a:d51f%3]) with mapi id 15.20.1771.011; Mon, 8 Apr 2019 09:22:23 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: JORDI PALET MARTINEZ <jordi.palet=40consulintel.es@dmarc.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
CC: Fred Baker <fredbaker.ietf@gmail.com>
Thread-Topic: [OPSEC] draft-ietf-opsec-v6
Thread-Index: AQHU5vy/h2vj4/69oUeJULPiBuRBZqYyLLEA
Date: Mon, 8 Apr 2019 09:22:23 +0000
Message-ID: <2C4D7D3C-A524-4B1F-9581-7E847CB29D9F@cisco.com>
References: <DE7EDC79-DBDB-4691-A09B-0B96B9B994F8@consulintel.es>
In-Reply-To: <DE7EDC79-DBDB-4691-A09B-0B96B9B994F8@consulintel.es>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.1.190326
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c1:36:811c:18de:c3f7:41f0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2b97db4c-33b8-4b5c-5b11-08d6bc03b58c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020); SRVR:MN2PR11MB4047;
x-ms-traffictypediagnostic: MN2PR11MB4047:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <MN2PR11MB4047B453507A25F19633A189A92C0@MN2PR11MB4047.namprd11.prod.outlook.com>
x-forefront-prvs: 0001227049
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(396003)(376002)(346002)(136003)(199004)(15404003)(189003)(46003)(68736007)(229853002)(14444005)(256004)(66574012)(14454004)(8676002)(8936002)(82746002)(105586002)(106356001)(81166006)(81156014)(97736004)(5024004)(316002)(186003)(478600001)(99286004)(6512007)(966005)(6306002)(6486002)(36756003)(25786009)(2616005)(446003)(6436002)(7736002)(305945005)(76176011)(53936002)(86362001)(71190400001)(71200400001)(2501003)(6246003)(476003)(6506007)(58126008)(6116002)(486006)(2906002)(83716004)(110136005)(5660300002)(4326008)(53386004)(33656002)(102836004)(11346002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4047; H:MN2PR11MB4144.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: E++gNSyMxs+ZojVmRcpb6DxPMRPH9LFCMjxeq7OLLLaLxg/l5rKz9m3myI7Box6/qVdefZFSEIphWzdnMHgfRk4t2O3q/EpsmOe1fSTPX80BmwH2RWytrXj4+LlPY7uQJqI1UHuR5MpXU97sMqZhRgsNlPbROVnzDz2CAiiIXhLiPPRo3UdUMPyz4KiSGiH77hbVsh+nh3f4E9YgRsUWzJw4mz9NLIFaJ7kDCl8UESuY94s15VDNKEYvw+U5aLdNPTYs+o/8g8S+Z8DY4kvWWKpK/G2TI0TWhrjkpVf35X64udF30M4TkW0eYC4YP9r1JAqJkchbvLLXpofqvmKKDzVGsCu2IkargObDveihE2YZg9qXEhxqzmCGPFgUfPkPYkiRK4QE/x76NtnraUs8pkQgUkJtrPBpFJRARu6KIrs=
Content-Type: text/plain; charset="utf-8"
Content-ID: <7F474C8256B75745BD15CBF8974E416C@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2b97db4c-33b8-4b5c-5b11-08d6bc03b58c
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2019 09:22:23.4250 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4047
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/u5PddD6fgMC7wvK7RaAZ-LDZrvA>
Subject: Re: [OPSEC] draft-ietf-opsec-v6
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 09:22:31 -0000

	Thank you Fred  and Jordi

-éric

On 30/03/2019, 14:30, "OPSEC on behalf of JORDI PALET MARTINEZ" <opsec-bounces@ietf.org on behalf of jordi.palet=40consulintel.es@dmarc.ietf.org> wrote:

    Additional inputs follow. I will follow the discussion if anything else need to be clarified.
    
    2.3.3.  Securing DHCP
    Dynamic Host Configuration Protocol for IPv6 (DHCPv6), as originally
       detailed in [RFC3315] now obsoleted by [RFC8415]
    
    I think it should mention directly RFC8415, not the older document, as in case it is needed, RFC8415 already have the reference to the older one, updates, etc.
    
    Same across the complete document, replace 3315 with 8415.
    
    
    2.3.4.  3GPP Link-Layer Security
    Even if is not common today, DHCPv6 and -PD are also supported in 3GPP, so may be a reference to the same considerations that apply in that case from DHCP scenarios?
    
    2.5.1.  Authenticating Neighbors/Peers
    Similar comment: [RFC7166] (which obsoletes [RFC6506]
    I don't think across the text it makes sense to refer to the obsoleted/updated documents, unless there anything that need to be taken in consideration, as all the "new" documents will already mention the older ones.
    
    I've seen this in at least 5 more places across the text.
    
    
    2.6.  Logging/Monitoring
    In "Please note that there are privacy issues related to how those logs
       are collected, kept and safely discarded.  Operators are urged to
       check their country legislation."
    
    You may want to point to something very specific, at least as an example, as GDPR, as it may have many "new" implications.
    
    Also, cases where some technologies can't be deployed in some countries, because they lack of compliance about the minimum data to be logged.
    
    2.6.1.6.  RADIUS Accounting Log
    Nit: [IEEE-802.1X]wired -> [IEEE-802.1X] wired
    
    2.6.2.2.  Inventory
    Nit: such packets... -> such packets.
    
    2.7.1.  Dual Stack
    Nit: are provided in Section 2.8 -> are provided in Section 2.8.
    
    Can't parse: global IPv6 address is rogue RA
    I think it means: global IPv6 address if rogue RA
    
    2.7.2.  Transition Mechanisms
    There are many tunnels used for specific use cases.  Except when
       protected by IPsec [RFC4301], all those tunnels have a couple of
       security issues (most of them because they are tunnels and are
       described in RFC 6169
    
    Maybe reads better this way:
    There are many tunnels used for specific use cases.  Except when
       protected by IPsec [RFC4301], all those tunnels have a couple of
       security issues, most of them because the fact of being tunnels as
       described in RFC 6169
    
    traffic interception: no confidentiality is provided by the tunnel
          protocols (without the use of IPsec)
    replace with:
    traffic interception: no confidentiality is provided by the tunnel
          protocols (without the use of IPsec or alternative methods)
    
    Also, one more nit, for consistence in this section (I've seen this in other parts of the document), some bullets finish with ";" others with ".".
    
    No mention to 6over4 (RFC2529)?
    
    The full section intro seems to care about "IPv6 in IPv4". Not sure if in the same section, or a different one, there should be some text considering that this will turn around, may be is needed to care about IPv4 in IPv6?
    
    2.7.2.8.  Teredo
       Teredo is now mostly never used and it is no more automated in most
       environment, so, it is less of a threat.
    I think this is somehow incomplete, in the sense that many users/enterprises are still running very old or non-updated OSs. A warning on that can make it:
       Teredo is now mostly never used and it is no more automated in most
       environment, so, it is less of a threat, however, special consideration must be taken in case of devices with older or non-updated operating systems may be present, which by default were running Teredo.
    
    May be a similar text can be used as well for 6to4 (2.7.2.7.  6to4).
    
    May be some considerations for LDPv6 in a specific section, such as done for 2.7.2.4.  6PE and 6VPE.
    
    Some mechanisms do translation and encapsulation, so some text to explain that both security risk-sets can apply there.
    
    Also, after reading all those sections, I've a suggestion. I don't think "2.7.2.  Transition Mechanisms" is the right title for that section. This is already part of "2.7.  Transition/Coexistence Technologies". I will suggest:
    2.7.2.  Encapsulation Mechanisms
    
    2.7.3.1.  Carrier-Grade Nat (CGN)
    May be 
    2.7.3.1.  Carrier-Grade NAT (CGN)
    
    I think a reference to the wording AFTR needs also to be included as per RFC6333.
    For example:
    Address Family Transition Router (AFTR, RFC6333), Carrier-Grade NAT (CGN), also called NAT444 CGN ...
    
    2.7.2.6.  Mapping of Address and Port
    I understand the way you organized those, but because MAP-T and MAP-E have different implications (translation vs encapsulation), I will suggest to either split it, even if text is partially duplicated, or at least have a sub-section in the translation section for MAP-T with a reference to this.
    
    2.7.3.2.  NAT64/DNS64
    Either a new section for 464XLAT, or a p. and change the section title:
    2.7.3.2.  NAT64/DNS64 and 464XLAT
    464XLAT (RFC6877) shares the same security considerations as NAT64 and DNS64, however it can be used without DNS64, avoiding the DNSSEC implications.
    May be a reference to draft-ietf-v6ops-nat64-deployment, is useful.
    Also a mitigation, in some cases to avoid everything to be translated by the NAT64 is the use of EAMT (RFC7757).
    
    Missing lw4o6 (RFC7596) section as well?
    
    May be some generic considerations for IPv6-only and IPv4-as-a-Service (draft-ietf-v6ops-transition-ipv4aas), such as the need to include a DNS-proxy in devices running the transition mechanism.
    
    One more suggestion. Reorder alphabetically the sub-sections, for example, the encapsulation mechanisms, the translation mechanisms, etc. It may be worth to look into that in the rest of the document as well.
    
    3.2.  Internal Security Considerations:
    
       As mentioned in Section 2.6.2, care must be taken when running
       automated IPv6-in-IP4 tunnels.
    Some text also about IPv4-in-IPv6?
    
    What about allowing/disallowing VPNs (yes, it is a tunnel, but explicit mention)?
    
    Nit: provided in Section 2.8 -> provided in Section 2.8.
    
    4.1.  BGP
    
    Is not just prefix filtering, also boggon ASN filtering.
    Add a recommendation for RPKI and strong filtering to avoid hijacking (both for 3rd parties and boggons of IPv4, IPv6 and ASN).
    
    
    5.  Residential Users Security Considerations
    
    Replace If the Residential Gateway has IPv6 connectivity, [RFC7084] (that
       obsoletes [RFC6204]) defines the requirements of an IPv6 CPE and does
       not take position on the debate of default IPv6 security policy as
       defined in [RFC6092]:
    
    with 
    If the Residential Gateway has IPv6 connectivity, [RFC7084] and draft-ietf-v6ops-transition-ipv4aas define the requirements of an IPv6 CPE and does
       not take position on the debate of default IPv6 security policy as
       defined in [RFC6092]:
    
    I think in this section, it makes sense a reference to Section 5.  UPnP Support of draft-ietf-v6ops-transition-ipv4aas, which also includes a reference to PCP support.
    
    Final inputs:
    1) Should the document have a special mention that in IPv6 it doesn't make sense, and it has negative implications the complete filtering of ICMP, and instead use rate limiting, or filter only echo/reply?
    
    2) I never thought about it, but maybe there are some (or in some scenarios) implications because Happy Eyeballs, that need to be considered ?
    
    
    
    
    
    
    **********************************************
    IPv4 is over
    Are you ready for the new Internet ?
    http://www.theipv6company.com
    The IPv6 Company
    
    This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
    
    
    
    _______________________________________________
    OPSEC mailing list
    OPSEC@ietf.org
    https://www.ietf.org/mailman/listinfo/opsec